Business Overview

The General Medical Council - GMC (a registered UK charity) - exists to provide protection for patients and guidance for medical professionals. Its website acts as a portal for stakeholders and the GMC’s online presence is set to grow as they move increasingly towards web-based services.

Background

The GMC decided that any major increase in its online business activity should be marshalled with structured, non-organic architecture growth. It was important for the GMC that any development should be bound to a rigorous security framework. The nature and sensitivity of the information being transacted means that an information security breach is unacceptable. Therefore the development and building processes were carried out to minimise the risk of information leakage and susceptibility to attack.

To further reinforce their security stance the GMC demanded that the concurrent web and application projects be subject to testing. The testing needed to be:

• Methodical (in order to manage it effectively)
• Well documented (so that findings and recommendations could be translated directly into relevant work packages)
• Entirely consistent (as it was planned that testing would be carried out both ‘pre’ and ‘post’ rollout)
• Flexible (so that the content, duration, depth and intensity of the testing could exactly match the requirement)
• Transparent (enabling the GMC to scrutinise every aspect of the testing being carried out and use this to enhance future development work)

Once the testing criteria had been defined it was a straightforward matter of applying the appropriate methodologies to each testing scenario and carrying out the tests. The components requiring attention were:

• The rollout of the PLAB (Professional & Linguistic Assessment Board) online test booking application which carried an information transaction risk.
• The need to take secure online payments which involved a financial transaction risk.
• The provision of a real-time interface via their site with concomitant information leakage risk and authentication issues.

Client Expectations

As with any web-enabled business activity, be it small or large, public or private sector, the GMC rightly identified the key concerns. These centre on the risks to systems and core databases from the public facing links on its website.

The GMC‘s own auditor's technical arm had been brought in to advise and it was following their recommendations that the technical architecture was established which was subject to MWR InfoSecurity's testing.

Benefits

MWR InfoSecurity won GMC’s business because of a straightforward approach to the requirement. The proposal was a clear ‘fit’ with the GMC’s needs. An important factor was also the way in which MWR InfoSecurity approached the GMC - “…explaining [MWR InfoSecurity’s] capabilities and relating this to our structure. It's also been important for us that there is a level of flexibility and support throughout the process”.

The ultimate impact of the testing however is evident in the GMC’s trust in the security of PLAB online bookings.

David Hall, GMC Project Manager

“The GMC is acutely aware that the information it holds and collects is very sensitive and therefore the security of any interactive web application was critical to its success.